Chapril/mobilizon.chapril.org-mobilizon
Chapril
/
mobilizon.chapril.org-mobilizon
24
0
Fork 0
Code Issues Pull Requests Releases Activity

Allow every origin for connect-src because of Webfinger 

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-02-26 11:44:27 +01:00
parent 5f7544eb2e
commit 8508558945
No known key found for this signature in database
GPG Key ID: A061B9DDE0CA0773
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/web/plugs/http_security_plug.ex
View File

@ -52,8 +52,9 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
media_src = ["media-src 'self' "] ++ Config.get([:http_security, :csp_policy, :media_src])
# Connect-src is available for any origin because of webfinger query to redirect to content
connect_src =
["connect-src 'self' blob: ", static_url, ?\s, websocket_url] ++
["connect-src 'self' * blob: ", static_url, ?\s, websocket_url] ++
Config.get([:http_security, :csp_policy, :connect_src])
script_src =